Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

CWmike writes "Gregg Keizer reports that Adobe's Reader X stymied a recent attack campaign, researchers said Thursday. But they're not sure why. 'I don't want to take anything away from Adobe — after all, a win is a win — but this particular exploit appears to be designed with previous versions of Reader in mind,' said Chris Greamo, who heads the security research lab at Invincea. 'What appears to have happened is that the exploit breaks, but we don't have a good sense if the sandbox was able to contain it.' Reader X, an upgrade issued last year, features a 'sandbox' designed to protect users from PDF exploits. Adobe claimed that a recently-addressed bug in Chrome that lets attackers escape the browser's sandbox was not present in Reader X's sandbox code. Google patched that bug, the first to earn the company's top bug bounty of $3,133, three weeks ago. Adobe said Thursday it will would ship its next regular update for Reader on Tuesday, Feb. 8."

Also, you're comparing apples and oranges. xpdf is ugly and, last I checked, lacking features. A fairer comparison would be with the flagship open source pdf reader, namely Okular. The file size may still be smaller but remember the Qt/KDE shared libraries it loads.

No, it's not fair.First, if you're using Gnome, you'll probably use evince instead of okular. Just as okular uses the same toolkit as KDE, evince uses the same toolkit as Gnome.

Secondly, why wouldn't Adobe Reader use the native Windows toolkit? You're supposed to use the native toolkit of an OS (or DE), not only because it's more efficient, but also because it results in a consistent look and feel. So if Adobe is using their own toolkit, then that's their own stupid fault, it's not something to give them

I use Gnome (haven't been back to KDE since 3.5) but I think Okular is a better document reader. I don't complain about the download size because I accept that a more sophisticated, polished UI brings in a bunch of dependencies that just using X won't provide.

On Windows, plenty of applications don't using the native Win32 toolkit. As an example, develop using Visual C++, with a toolkit such as MFC? A bunch of libraries need to be distributed with your app, even if the installer hides them under c:\windows.

<i>I use Gnome (haven't been back to KDE since 3.5) but I think Okular is a better document reader. I don't complain about the download size because I accept that a more sophisticated, polished UI brings in a bunch of dependencies that just using X won't provide.</i>This is only because of the ongoing fragmentation between Gnome and KDE. If they ever merge them into a single DE for Linux (and other free *nixes), then this will no longer be a problem.

"X11 will still be there"? Nope, the idea of wayland is X11 won't need to be included at all by default. Gnome and KDE will be wayland native via their respective GTK+ and Qt backends. Adding Xpdf will seem bloated because you'll have to start an X11 process on top of wayland - whereas today that comes for free.

<i>"X11 will still be there"? Nope, the idea of wayland is X11 won't need to be included at all by default. Gnome and KDE will be wayland native via their respective GTK+ and Qt backends. Adding Xpdf will seem bloated because you'll have to start an X11 process on top of wayland - whereas today that comes for free.</i>That's not my understanding at all, according to what I've read about the plans for Wayland. Yes, in a more minimalist distro, X11 could be eliminated. However, most distros will

"Gnome and KDE merge? unlikely, they're chalk and cheese."I forgot to reply to this. What's so different between these two anyway, except for Gnome having less configurability (which could easily be emulated in KDE by just specifying certain config options and removing some stuff in the system setup menus)? Essentially, they both do pretty much the same thing: provide a similarly-functioning desktop environment, with a "start" menu button which brings up a menu with applications installed (and I believe t

The point is X will be an *optional* service that runs on top of wayland. Qt and Gtk+ will support wayland from day one by the time Ubuntu ships it. Those who "ssh -X" can download a bunch of optional packages. I won't miss it on my home desktop and won't bother to install and run X just to load up xpdf when wayland-native alternatives such as Okular exist.

Naturally distros will include X for the reasons you mention. Once wayland is sufficiently mature, don't expect a consumer oriented distro like Ubuntu to

The problem is Adobe Acrobat Professional, or whatever they call their expensive software for creating PDFs. In order to get people to keep buying new versions they have to keep adding more and more features. Which means that Adobe Reader has to be constantly updated so that it can read PDFs with all those new features. New features equals new bugs and security exploits.

So we can make documents. We can set them to be editable or not editable and add stuff that make these work as webpages. So, tell me again why you would pay for that instead of just making a web page (sorry, I think it is the web developer in my not understanding why you would pay so much for something you could get for free legally)?

There's lots of good reasons to make and use PDFs. For instance, suppose you're a magazine publisher, and you want to make your magazines available on the internet (or on DVD-ROM) for reading electronically. Not only your newest issues either, but also all your old issues, going back decades. With PDF, that's easy: the old issues you can scan into a PDF from your archive copies, and the new issues can probably be directly exported to PDF from whatever publishing software you use, yielding much higher qua

Sure. Everything has bugs now and then. Adobe Reader has so many that they added a sandbox. We're just starting to do that with web browsers, and they're supposed to run "programs" of a sort. We're always reading about some new PDF code execution problem. You're not seriously claiming PNG and MP3 have as many exploits as PDF...?

PNG and MP3 don't have exploits, programs do. I've never heard about any exploit in my PDF reader, and while lack of user base is a reason for it, supporting only a reasonable subset of the full spec is important.

You probably haven't heard of any because you don't strictly need to target PDF. You just target something it supports. Like packaged fonts. Then you can exploit FreeType, which exists on virtually every platform (it must as a prerequisite to PDF).

Oh yeah... and that example actually happened. All readers were vulnerable, even Okular.

That's because there's no standard scripting section for those container formats, as far as I'm aware. Without some way to package in code that can be executed in a way that the target will understand at all, the exploit isn't going anywhere.

If you work for Microsoft and are reading this, please, for the love of all that's holy, do not define such a thing, even as a vendor extension. Even if it lets you do something you think is neat. Such a change could only ever cause grief and pain, which would be redoub

You know what's sad? My iPhone opens PDFs faster than Acrobat. How about when you have a network printer setup and you're not connected to that network Acrobat hangs the entire machine while trying to connect to it?

Tell me again why we need our applications to be bloated and buggy when they're run on desktops?

You may feel the need to have a bloated and buggy Acrobat, but I found that it's actually optional.

By removing most of the plug-ins that it installs by default, it avoids a lot of the security holes. Do I give a damn if a PDF on my box can execute javascript, send an email, play a media stream, or be translated into a voice reader for the blind? No. So I yanked probably a dozen default plug-ins, and my Windows version of PDF reader has a much reduced attack surface as a result. As a side benefit, it ope

Any program that interprets untrusted information could benefit from a sandbox. While directly it prevents the interpreted code from explicitly accessing outside its bounds, it also protects the system from bugs in the interpreter that could cause the interpreter itself to perform actions outside its environment.

Since you mention PNG, I have seen examples of security patches for PNG and TIFF viewers that addressed security problems because it was possible to execute arbitrary code based on a bug in the viewer's interpretation of the picture data. (usually through overflows)

This came as a surprise to me with TIFF because I thought TIFF was raw uncompressed picture data and that would be immune to interpretation, but that was not the case.

Sadly the same reason why my MS Office 2K is a nice light word processor and 2K7 is a little piggy, it is called feature creep [wikipedia.org]. You see bug fixes aren't sexy and don't sell copies of software, whereas whiz bang new features do. Every year you have some PHB saying "Where's my new bullet point list of goodies to hand to the salesmen?" and you had damned well better have that bullet point done son!

Of course the fact that we have truly insane amounts of hardware don't help either. I remember during the days of

It appears it's a useful feature because many applications allow commands to be embedded in documents - even ones you might not expect, like vim. From FreeBSD's pkg-message [freebsd.org] for editors/vim:

SECURITY NOTE: The VIM software has had several remote vulnerabilitiesdiscovered within VIM's modeline support. It allowed remote attackers toexecute arbitrary code as the user running VIM. All known problemshave been fixed, but the FreeBSD Security Team advises that VIM usersuse 'set nomodeline' in ~/.vimrc to avoid th

X? OMG, how original, exciting, and mysterious calling it "X" instead of 10. I guess it wasn't enough for MacOS 10. So I wonder if they will be able to let go of "X" when it is time for "XI"? Will version 10.1 be "X.1" or "10.1"? Or perhaps they will go redundant like Apple and call it X 10.1?

Even funnier that they call the latest Apple operating system "Mac OS Intel 10.5.6 - 10.6.4" in their pulldown menu.

Mac OS X is the name. 10.x.x is the version number.
You kinda have to do something when you get to version 10, because after that things start to sound awkward. I mean, doesn't Photoshop CS5 sound so much better than Photoshop 12?

No, its not. The operating system is "OSX". The version is 10.4.2. That doesnt mean "tenth version of OSX" any more than Ubuntu 11.04 means "eleventh version of ubuntu"; the vendor chooses how to name and version their product. You are of course free to disagree with me, Apple, and whoever else you like, but you would be wrong-- as the vendor, all of this is their prerogative. I might suggest checking the wikipedia page for OSX if you want some clarification on the matter.

X? OMG, how original, exciting, and mysterious calling it "X" instead of 10. I guess it wasn't enough for MacOS 10. So I wonder if they will be able to let go of "X" when it is time for "XI"? Will version 10.1 be "X.1" or "10.1"? Or perhaps they will go redundant like Apple and call it X 10.1?

Even funnier that they call the latest Apple operating system "Mac OS Intel 10.5.6 - 10.6.4" in their pulldown menu.

Five hours since you posted, and no one has thought of the obvious?
"[Mac OS / Adobe Reader] goes to Eleven!" That's the actual version number: "goes to Eleven!" After that, you count the exclamation points. "goes to Eleven!!!!!!!" is 7 versions after OS X.

SRW Iron (Chrome alt on windows) tends to be behind, and somehow I forgot to replace it w/Chromium on this PC, so I had no built-in autoupdate. A megavideo on-click-to-play-flash-movie event on that site always triggers some "benign" FLASH pop-up to reelhd.com and today the latter came with a payload. The usual site lie says I need to click to download *their own* xvid player. Except it the browser prompts me if I really want to DL the triggered installer's exe... and even though I scoffed and cancelled TH

All those security concerns and yet you still:A) Run the completely unvetted (and by their own admission, modified) SRWare Iron-->Which lacks autoupdate-->Which you for some reason trust more than googles official version, or the Chromium nightlies (despite this exploit, lol?)-->not to mention that you cant exactly get the source code to SRWare, can you?B) Use hosts files as some kind of attempt at securityC) (based on remark about promiscuity) believe that the websites you visit has anything to do

The problem is homogeny of the market.If every user has the same version of the same PDF reader, an exploit can spread to everyone.If an exploit won't affect people using Chrome PDF Viewer, Foxit Reader, gPDF or XPDF or Mac OS X Preview, it severely restricts the effectiveness of the exploit.If everyone uses Adobe Reader on Windows, Mac OS X, Linux and mobile devices, an exploit like this can affect everyone.

While there are 3rd Party implementations of Flash Players, Adobe Flash Player is still ubiquitous. Adobe evolve the "standard" for commercial reasons with every version, leaving 3rd Party implementations behind and incompatible with new versions of the "standard".

Well, hard to do anything about it, half the proposed alternatives are even worse evils than Flash, and the other half doesn't give technophiles a stiffy.

And technophiles are, by the way, the main reason we're stuck with Flash in the first place: Adobe has tried to do the same with Adobe Reader, but since almost nobody uses all the random scripting crap they've added to it and only uses the baseline standard, alternative PDF viewers are able to display 99% of documents out there perfectly in spite of not ca

<i>Well, hard to do anything about it, half the proposed alternatives are even worse evils than Flash</i>The problem isn't so much the Flash format, as the fact that the official Adobe player is the only one that really works well, precisely because the spec is a moving target. Basically, they add in some stuff to their spec (which they don't share with anyone yet), then implement it in their viewer and authoring software, and then release it (and at this time, release the updated spec). So, t

My local municipality collects income tax. It's a simple tax: 1%. It usually fits onto a simple, one-page form. But there's still some data entry and calculations for exemptions and crap and so, like anything else more complicated than taking a leak, it could be improved.

For the 1999 tax year, they issued a PDF tax form that automagically did the simple math for me, just by filling out the values in Adobe Reader/Acrobat/X/whatever it was then.

I do not appreciate fancy updates which pop up on my desktop from icons in the right lower corner. I had a virus attack from such an update. It was masqueraded as a Java update. I removed Java from my computer completely after that.

I am seriously considering removing the Adobe Reader and Flash too.

Why just not inform us that an update is available and give the clear URL link to an update file on the Adobe website? Or at least update when I open the Reader and asked for an update or confirmed an offer to upd

I downloaded a PDF at the library to print it. No problem. Then I couldn't delete the document from the library's system. They had to uninstall Adobe to get it to stop displaying my document. I'm wondering if the document will still appear if someone re-installs Adobe. Assholes.

Ok, let's all rally a hurray for you (seeing you pat yourself on the back here) for doing something you should have done from day one...i say, we still haven't forgiven you for all the other exploits out there that are still very functional, and lead to many millions of dollars damages....let's remember this point too....and keep the back patting to a minimum....mmmkay.